Coffeehouse Thread

26 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Ubuntu Critical Bug

Back to Forum: Coffeehouse
  • User profile image
    Cybermagell​an

    Someone found this out. Just a heads up for everyone who might be running Ubuntu.

    https://launchpad.net/distros/ubuntu/+bug/34606

    Bug #34606 in Ubuntu: "Administrator root password readable in cleartext on Breezy"

    I can confirm it, just done so.

  • User profile image
    TimP

    As was said on the bug report, this is the initial password of the user who can use sudo. It's not actually the root password and if the user has changed the password any time since install it no longer works. This is also a local exploit so the person must have shell access to the box. Fortunately 'chmod 700 questions.dat' will fix the issue.

    That said, it's still a fairly big issue and apparently this has already been fixed in the next release.

  • User profile image
    Karim

    My favorite comment on the Digg story:

    so much for that linux security huh. if this was MS there would be 5000000 linux fan boys screaming like banshees

    Big Smile



    I don't think they're going to catch you....

    Can we assume the entire Googleplex is affected by this bug?

  • User profile image
    Cairo

    Karim wrote:


    Can we assume the entire Googleplex is affected by this bug?


    Google uses RedHat... Tongue Out

  • User profile image
    Cybermagell​an

    Karim wrote:





    Everytime I see this picture I keep thinking about

    "I can see down your shirt!"

  • User profile image
    rjdohnert

    Actually Google uses a lot of different Linux distros

    Cairo wrote:
    Karim wrote:

    Can we assume the entire Googleplex is affected by this bug?


    Google uses RedHat...

  • User profile image
    rjdohnert

    One of the good Linux distros, what a shame it has a flaw.  Does this mean Linux aint hacker proof? Wink

  • User profile image
    Cairo

    It's been fixed.
    http://www.ubuntu.com/usn/usn-262-1

    Relevant Ubuntu forum post:
    http://www.ubuntuforums.org/showpost.php?p=818037&postcount=61

    So, er, yeah. This one sucked. As others have said, security updates are now making their way ASAP to both Breezy and Dapper (the latter for Breezy installs upgraded to Dapper). Here's the comment I just posted to OSNews about this:

    I'm the Ubuntu installer maintainer, so obviously this bug is ultimately my fault. I'm sorry for that - it's clear it shouldn't have sneaked past QA. (We'll be updating our testing processes to be rather more careful about this sort of thing.) Now that I've spent the evening doing security updates to clean up the mess, I thought I might take a moment to explain how this happened, and why it wasn't noticed as an issue in Breezy at the same time as it was fixed in Dapper.
    Fast response and a public mea culpa by the developer responsible. Yeah, open source sucks. Wink


  • User profile image
    Karim

    Cairo wrote:
    Fast response and a public mea culpa by the developer responsible. Yeah, open source sucks.



    That's awesome.   I'm impressed not just by the speed and the transparency -- though I guess "transparency" usually goes along with open source -- but by the fact this guy took OWNERSHIP of a security issue and said, "Yeah, that was my fault."

    You rarely see people owning problems these days.  Everyone wants the credit if it works; no one wants the blame if it blows up.

    I also liked that he didn't minimize the problem -- didn't claim it only affected a small number of customers or the usual BS.

    Kudos.

  • User profile image
    rjdohnert

    Microsoft would never  have gotten that problem fixed in the matter of hours it took the Ubuntu guy.  It would have been released as part of patch Tuesday 6 months from now.  OMFG, Open Source is just so, well its just so awesome. Tongue Out

  • User profile image
    Cybermagell​an

    Wow this thread contains so much signal it's hurting my ears Smiley

    Yeah great to see they got it resolved so fast. True it was only under certain circumstances howevere sadly the Ubuntu Forums alot of people met those circumstances so say what you will it's still was/is an issue.

    I'm really glad to see people equally accepting that this happened and being open to the fact that none of us are perfect. Mark Shuttleworth (Ubuntu Diety) asked to postpone the next release for a few weeks, I think this gives him enough reason to.

    All in all I'd have to agree, Microsoft would have never had gotten this out so fast, however I wonder how many parts of Windows hold the password in Plain Text for it even to have became an issue?

  • User profile image
    rjdohnert

    Yeah I was partially joking.  I agree with what you just said.

    jaylittle wrote:
    rjdohnert wrote: Microsoft would never  have gotten that problem fixed in the matter of hours it took the Ubuntu guy.  It would have been released as part of patch Tuesday 6 months from now.  OMFG, Open Source is just so, well its just so awesome.

    I think you are partially joking but I also partially agree with you.  Microsoft would've required that their testing department signed a dozen forms in triplicate before they rolled the patch into their monthly release schedule.  Nonetheless, this was a rather nasty security hole and though it's been fixed in short order, it just goes to show you that security is something everybody needs to improve regardless of how accessible their source code is or isn't.

  • User profile image
    Harlequin

    rjdohnert wrote:
    Microsoft would never  have gotten that problem fixed in the matter of hours it took the Ubuntu guy.  It would have been released as part of patch Tuesday 6 months from now.  OMFG, Open Source is just so, well its just so awesome.


    I'm sure if/when Ubuntu is used on half a billion desktops, there is some sort of testing press before delivering a patch. Was there?

  • User profile image
    rjdohnert

    As if they dont have one now?  One of the good things about the Linux approach (Everyone set your watches and remember this moment Im actually going to say something good about the Linux community) is that with Linux designed the way it is they can make changes and not have to worry about the whole system falling apart.  If Microsoft makes a change to Internet Explorer, thats tied into Windows Explorer and it screws up, the entire OS is gonna go down. 

    Harlequin wrote:
    rjdohnert wrote: Microsoft would never  have gotten that problem fixed in the matter of hours it took the Ubuntu guy.  It would have been released as part of patch Tuesday 6 months from now.  OMFG, Open Source is just so, well its just so awesome.


    I'm sure if/when Ubuntu is used on half a billion desktops, there is some sort of testing press before delivering a patch. Was there?

  • User profile image
    rjdohnert

    How easy is it to get wireless working with Ubuntu, do I have to french kiss an alligator and swim a maze with 10 great white sharks just to get it configured?

  • User profile image
    TimP

    I know quite a few people using wifi on their laptops with Ubuntu so I doubt it's too much hassle. Gentoo on the other hand... Expressionless

  • User profile image
    Harlequin

    But, as was bought up in another thread; how do you know that this fix didn't wreck something else? No test process or anything of the sort?

  • User profile image
    Sven Groot

    jaylittle wrote:
    Cybermagellan wrote: All in all I'd have to agree, Microsoft would have never had gotten this out so fast, however I wonder how many parts of Windows hold the password in Plain Text for it even to have became an issue?

    Crappy Lanman hashes aren't too far off from plaintext.  </half sarcasm>

    That's the first thing I do when I install a Windows domain controller (which doesn't happen that often, I admit Tongue Out ): go into the default domain policy, set the authentication level at "Send NTLMv2 only - refuse LM" and set "Don't store LANManager hashes at next password change" to enabled. Quite frankly I'm surprised this still isn't the default, even on Win2k3.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.